Ep. 4 – Unveiling the Future of Cybersecurity
Steve Rivera, CRO @ Logically
Chris Novak, Director of Cybersecurity Consulting @ Verizon Business
July 10, 2023 | 41 mins
In episode 4, Steve Rivera and Chris Novak talk cybersecurity and the future. From SMBs to enterprise companies, Chris reveals the motivations behind threat actors and how you can avoid them. See how you can learn from other’s experiences to minimize negative impacts to your business and stay protected in today’s fast evolving threat landscape.
Listen wherever you podcast and share with your networks.
Key Takeaways from the Episode
- Insights into the most significant cybersecurity threats
- Future predictions for the evolving cyber landscape
- The impact and proliferation of ransomware
- The top three actions to prevent a cyber incident
Unveiling the Future of Cybersecurity with Chris Novak – Episode Transcript
Welcome to Logically Speaking, where we discuss the latest trends and challenges in cybersecurity with top experts in the field. Today, you’re going to learn how to keep your data safe, your operations sound, and your business ready for whatever comes next.
This is Logically Speaking.
STEVE RIVERA
Today’s guests we have a really special guest, an old friend, co-worker of mine, Chris Novak, who’s the managing director of Verizon Cybersecurity Consulting. He’s had over 20 plus years of cybersecurity industry experience, ranges from field work to working with Fortune 100 C-suite and board advisory roles. In 2022, he was appointed to President Biden’s cybersecurity review board. He was named a top security leader by Security Magazine. He has been a contributing offer to the Verizon Databreach Investigations report since 2008, as well as featured in TV, radio, print ad, still waiting for him to get on Joe Rogan’s podcast. But he’s also a member of Forbes Technology Council, where he frequently writes on the topic of cybersecurity. Chris holds a Bachelor of Science degree in computer engineering from Rensselier Polytech, which I didn’t get accepted to Chris. I applied, but I didn’t get accepted to. I had to settle for NYU computer science. He’s got a CISO certificate from Carnegie Mellon, and he actively maintains a CISSP, CISA, PCI, QSA, PFI, and a litany of other certifications. Chris, thank you for joining us today. You can probably, you know, I’m sure that you have your choice of podcasts, and so I’m glad that you chose us. Thanks for joining us today.
CHRIS NOVAK
Yeah, my pleasure. Happy to be here.
STEVE RIVERA
So I know that we have just a short amount of time. I wanted to talk a little bit about, maybe you could share, start with your experience outside of what I discussed, and maybe we can start there. And then I’ve got some questions specifically about our listeners are in that mid-market space. And so open to hearing about your experience, and then we can talk a little bit about that.
CHRIS NOVAK
Sure. Yeah. So I mean, you know, you got the background just right there. I’ve been in cybersecurity now for well over 20 years. It’s been a passion of mine since the very beginning. And actually, I’ve always found it interesting when I talk about kind of how I got into the field because, you know, I think people hate it and love it at the same time because I say it’s kind of an accident. And that’s because when you go back that far, cybersecurity wasn’t a thing. There were no degrees or anything like that you can get in cyber, you know. To your earlier point, it was basically computer science or computer engineering or some kind of derivative of one of those two. But you couldn’t get a degree in it and most people, if you asked, would have thought it was something from like science fiction movies at the time. So it was kind of an interesting wild ride. And obviously it’s been fun to watch the industry kind of grow, develop and, you know, innovate over that time period.
STEVE RIVERA
Yeah. No, it’s funny you mentioned that because I got my start deploying Raptor firewalls back in late. And those at the time were the DOD standard. They were viewed as the un-hackable firewall and firewalls were all the rage back then. And then this cool thing called intrusion detection. Yes. We were like, what? You know, so it’s so funny to kind of be in the industry as long as we have and to be able to, I like you stumbled upon it. I had a CEO of one of the largest bars in New York City who said, I don’t know anything about cybersecurity or we call it InfoSec back then.
CHRIS NOVAK
That’s right. Yeah. In fact, if you called it cybersecurity, people would kind of smirk at you like, all right, what are you trying to make this into being? It was always InfoSec.
STEVE RIVERA
And she had the fourth thought to say, well, I don’t know much about this InfoSec, but if you can make a couple of bucks out of it, go ahead, build a pack. Yeah, neat. So I appreciate your time. Look, I want to know a little bit about what your team is doing today and maybe like the biggest cybersecurity threat that you see out today in this mid-market space that our listeners are in.
CHRIS NOVAK
Sure. You know, I’d say, you know, when you look at it from a pure threat landscape standpoint, there’s a number of things that hit the mid-market. And honestly, I would tend to argue that the mid-market’s going to see a lot of the same things that the rest of the world and the rest of the markets are seeing. Probably areas where maybe they’re a little bit unfairly hit isn’t a lot of things like ransomware and more of the, I would say, kind of automated attacks. Because generally speaking, we find that they’re more challenged as it relates to getting budget and resources, right? Two of the things you need most. And in a world where we both know cybersecurity is a hot market, so maybe you can get budget, but finding resources is extraordinarily hard. Keeping those resources can be just as hard if not harder. So usually what we find is kind of striking that balance of getting what they need to deploy adequate protection against some of these attacks, which, you know, when you think about it, it’s kind of like a regular kind of kinetic war in a way that, you know, can you lob an attack that is very inexpensive for you to lob, and very expensive for the other side to defend or vice versa, right? That can really impact the economics of war, if you will. And, you know, I think cyber, we see a lot of the same thing and the mid-market typically is challenged in a lot of those regards.
STEVE RIVERA
So you brought up an interesting, and you put it in kind of warlike terms, right? So, what is someone like the attack vectors that you’re seeing that are most successful? I mean, we hear about ransomware, we hear about fishing all the time. Is there anything out there that you can kind of look out on the horizon that could be as like, you know, if you had your crystal ball, what you’re starting to see, trends, you know?
CHRIS NOVAK
I’d say probably the biggest thing if I were to kind of look out there on the horizon, and we’re already kind of starting to see this develop a little bit, but I think we’re going to see more of it. And that is the use of AI, and I know it’s become very buzzwordy. But the fact of the matter is, you know, you were mentioning earlier when we were talking about RSA and, you know, all the different things kind of being shared on the show floor and all the different technologies that vendors are using. But at the same time, we also see that the threat actors are exploring how they can take advantage of it, right? And, you know, a lot of times people will say, oh, some key identifiers of, you know, fishing or social engineering attacks are, you know, misspelled words, grammar, you know, something sounds too formal, too casual. The ability for you to go to one of these platforms and say, write a message that looks like this using this style of language, it can do it fairly easily. And I think as we see that evolve over time, there’s an opportunity, opportunity, unfortunately, for the threat actors to leverage that to automate and expedite the crafting of that. You know, for example, a lot of the things that we look at on the defensive side or the detection side is patterns, you know, where we see things that a threat actor is doing common from attack one to two to three to four, it makes it easier to block the subsequent attacks because they’re just repeating it. If they’re able to leverage something like generative AI to be able to create more nuanced and scalable versions of that, all of a sudden, maybe many of these attacks don’t look as common as they used to, which makes it harder and harder for the defense to be able to detect. And so I’d say if I was looking out on the horizon, I don’t think that’s mainstream by any means yet, but I think we’ll get to a point where it will become more mainstream, unfortunately.
STEVE RIVERA
Yeah, I was, I was listening to the testimony of the CEO, I believe it was of open AI. Oh, right. Yeah. And he, he shared about the, you know, his concern about the malicious use and the harm that it could, I mean, that was pretty, I mean, to me, that was pretty telling. And you gave one use case. It’s interesting because we’re using it in a way where, you know, we’re using AI, Open AI to like target and prospect and to, you know, from a sales standpoint, which is really, you know, from a marketing and a content. I mean, it’s actually pretty, pretty encouraging to see that it’s creating that window. But I guess on the flip side of that, malicious actors can also do that and be very, very targeted in kind of how they’re scripting these phishing emails and such. And so how do you counteract that? Because I always feel like we’re in this cat and mouse, you know, mode where a malicious actor can leverage something like AI. How could we leverage AI to counter that? Is that, is there anything that you’ve seen?
CHRIS NOVAK
So I mean, I do think that there’s more opportunity for us on the, the defensive or the, the, the good, the good side of the equation than there is for the kind of offensive or, you know, ill will use of the technology. And I think part of it is, I think there’s a better ability for us to collaborate, invest and build bigger, better, scalable solutions. Whereas I think the threat actors, the cost of building something like this is tremendous. I think, you know, nation states will be able to leverage it and be able to advance it. But I think you’re more individual threat actors, you’re more organized crime groups. I think it’ll be more challenging for them to scale it in a similar way to what the defensive side can do. I think it’ll be harder for them to, you know, harness that power, expand their resource pool. A lot of the challenges that we all face, but obviously they’ve got to be able to do that on the criminal side and be able to engage more people in order to further that. And I do think we’ll have an opportunity to overcome that. But I think like everything with security, it’s always a cat and mouse game, right? We come out with a better firewall. We come out with some kind of exploit to try to take advantage of a vulnerability. And we go back and forth. And I think it’s more about, you know, hey, how do we kind of look ahead? Where do we see the future going? How do we invest in those right places to try to make sure that we stay in front of it? So, I do think that the future is still bright, even if some of the AI opportunities may have some bleak uses as well.
STEVE RIVERA
Yeah. I want to shift focus just a little bit and talk about industries. So, you’ve been in the industry a long, long time. And what industry do you see investing the least amount in cybersecurity? Is there industry that’s lagging in terms of cybersecurity investment that needs to catch up based on, because you serve all markets, right, in your role? What industry do you see, and, you know, vertical industries that I’m referring to, which ones do you think invest the least amount in cybersecurity and kind of need to focus on it more?
CHRIS NOVAK
Yeah. So, I mean, I would say this kind of ebbs and flows a bit over time. The areas where I think we’d say we see more of the challenges, for example, would be in things like education, health care, they’ve been hit very, very hard. And then I think also, you know, if you look at it from a size and scale perspective, generally speaking, you’re smaller and more medium to mid-sized businesses typically struggle more because the large enterprises, they generally have large IT teams, large InfoSec or cybersecurity teams. But usually if you kind of look at it like a pyramid, you start getting about halfway down that pyramid, there’s a tremendous amount of organizations that live in the bottom half of the pyramid, but they don’t necessarily have the same level of resources to apply toward cybersecurity, or maybe in some cases, as you move even further down to the small business arena, they may not even be tracking on it at all. There was a study I was reading just the other day, and I don’t remember the exact study, but the numbers were surprising in terms of the amount of organizations that said cybersecurity and cybersecurity resiliency weren’t even really on their roadmap. Now, again, these were more of your small to mid-tier businesses, but again, it tells you that they’re still not entirely tracking on this as being a need. And I think it’s also complicated by the fact that, you know, the economy is in a weird kind of rocky, questionable state, right? Nobody really knows where we are or where we’re going. And I think that also creates challenges for more of your small and medium-sized businesses to struggle with figuring out where are they going to make investments. Your larger organizations typically are better capitalized and have more of a longer term, you know, roadmap and strategic planning and vision.
STEVE RIVERA Yeah. I mean, it doesn’t strike me as odd, right? No. I mean, you have the small organizations with the more finite budgets, they have to choose where they put their, you know, their limited resources. However, and I want your opinion on this, I’ve found that the small organizations are incapable of recovering from an event, an outage, disruption when it comes to ransomware, cyber-attacks or, you know, anything like that, that their recovery or their impact is greater from an overall business standpoint. Like some of them quite possibly could not recover enough to actually be back in business in a reasonable amount of time. Are you seeing that as well or is that just, what do you see in instances like that where a small to medium business gets shut down for two weeks, three weeks at a time and then recovering that loss revenue?
CHRIS NOVAK
Yeah. So, I mean, it’s unfortunate, but we’ve seen cases like that where organizations have not recovered from, you know, an incident to our breach. And obviously, we never want to see that happen, you know, and that’s obviously why we try to be very proactive, you know, kind of share the information and the research that we do like the data breach investigations report and such. But you’re right. There are circumstances where organizations, they’re just, I’d say, a combination of not being well prepared, not having the right, you know, say partner ecosystem in place to help them either in advance or when an event occurs, or they think that it’s not going to happen to them. There’s somebody else that they believe would likely happen to first. And so, as a result, they don’t take the necessary steps. And, you know, to your point of the impacts of these events, you know, for a small to medium sized business, the impacts of a cyber event can be very oversized. You know, if you get hit with a multimillion dollar ransomware demand, then you don’t have the resources in place to either pay the ransom, do it quick enough or have the appropriate backup and resiliency functions in place. There may not be a recovery option for you or the recovery timeline might exceed what your capabilities are. And that definitely creates issues. We’ve also seen organizations lean on things like cyber insurance. But again, that’s, I would say that’s maybe that’s kind of like a crutch, you know, and like a crutch, you still need to have some strength in you to be able to move, right? The crutch doesn’t walk you. The crutch helps you walk, right? And so I think that is a tool or an enabler. But again, it’s not everything. Organizations still need a fair degree of, you know, robust, you know, infrastructure processes, etc. And, you know, everyone will tell you that that’s not going to be the end all be all that’s just going to be kind of one of the tools in your toolbox, if you will.
STEVE RIVERA
Yeah, it’s interesting you brought up cyber insurance. So yesterday I was meeting with the mid-sized company about 2,000 employees and asked them about their incident response plan. And I got this sheepish look on their face like, we need your help on that. And I said, well, what about, you know, who do you have for digital forensic investigations? Because, oh, we rely on our cyber insurer. Okay, you have cyber insurance. That’s great. What about local law enforcement, right? Do you have the contacts with federal and local law enforcement should you need to? And she just, again, just looked at me like with this blank stare. So we walk through and I have to admit I learned this from you is to have that three-legged stool, right? You need to have your legal counsel. You need to have law enforcement. And then you need to have a third party incident response company on retainer to be able to respond no matter how large or small an organization because you’ve always said it’s not a matter of if it’s a matter of when. And so being aired, right? That proactive. So, I appreciate that. I’ve carried that message on.
CHRIS NOVAK
And if I could just add on to that too, Steve, that, you know, and I always tell organizations that, you know, it’s funny because sometimes I’ll speak with the smaller organizations and they’ll say, look, excuse me, the large organizations have it easy because they’ve got all these resources and budget and all these things. And, you know, they’ve got the, and, you know, an entire in-house staff that may be larger than a small business, right? They could have 100 people on their incident response team. But even still, those large organizations will have third parties that they lean on. And what I always tell people is it doesn’t matter the size because at the end of the day, you could have one massive incident that out, you know, outweighs your capabilities or you could be faced with multiple incidents on multiple fronts and you can only scale so much, you know? And so kind of having, you know, almost like a mutual aid agreement of sorts, you know, having, you know, incident responders or even in some cases more than one firm that you can lean on, I think is really beneficial because nobody wants to be caught in that position where an event occurs and you have to go to your CEO and say, hey, you know, unfortunately we never plan for a contingency for what might happen here and now we’re really, really stuck or, you know, we have to engage someone but it, you know, we don’t have an agreement with them so it’s going to take, you know, a week to get something done and that’s not a situation anyone wants to be in. (00:18:15)
STEVE RIVERA
Yeah, yeah. No, those are cautionary tales for sure. Sure. So I want to shift again and ask you kind of again to open your crystal ball and see how do you think the cybersecurity landscape will change over the next five years? I won’t ask you to look out 10. If we looked back 10, we would go, wow, we never anticipated some of these things. But in the next five years, how do you see the cybersecurity landscape changing in this market that we’re kind of talking about, this mid-market? And again, you know, I won’t hold you to it.
CHRIS NOVAK
(00:19:00) That’s fair. So I would say, you know, kind of continuing from the previous kind of conversation we had around generative AI, I think that is going to continue to be a challenge and I think that’s only going to get more challenging as time goes on as the capability becomes more readily available to everybody. And I think that, you know, kind of your small to mid-market organizations are going to struggle because like anything, generally speaking, when there is newer, more innovative technology kind of going back to that pyramid, generally it’s the organizations at the top of the pyramid that can afford to beta test and try all that stuff out and really kind of get their arms around what’s involved with it much more quickly than organizations may be further down that pyramid. So, I think we’re going to continue to see threats on that landscape. I think the other thing too, if we’re looking out into the future, I think there’s also risk around things like quantum computing and the potential for that to impact, you know, cryptography. There’s also risk for folks who may not be familiar with it. Obviously, the world of what we revolve around and everything that’s important to us exists largely because of strong cryptography or encryption. It protects that information, right? The conversation we’re having here is going over an encrypted connection. You know, you pick up your phone, you send a message, you know, whatever it is you’re doing, you interact with your bank, it’s all encrypted. And obviously the concept or the concern that exists here is thinking out into the future with the advancements of quantum computing, there’s a much greater ability that at a future state we’re going to be able to break the encryption of today in a relatively short period of time. And, you know, what’s given most people comfort is historically we’ve thought it’s going to take hundreds or thousands of years to break the encryption. By then you and I aren’t going to care if someone has access to our data because we’ll be long gone. But with quantum, there’s the potential that that can happen in a much more real time fashion. So obviously there’s a need for us to be looking at things like quantum resistant encryption in order to make sure that communications and data remains, you know, safe and protected. So if I was kind of looking out there in the future, I’d say those are probably some of the more kind of substantial, but maybe a little bit more reaching concerns. I think we’ll continue to see evolutions of also more of the traditional current day events like ransomware, extortion, you know, targeting of individuals, you know, one of the other trends we’re starting to see pick up is targeting of executives, you know, historically we’ve seen, you know, more of the end user population or the consumer population being hit. Now we’re starting to see that kind of bubble up where the C-suite is actually being targeted now because threat actors are looking at them as being, you know, either less protected in in an odd twisted sort of way or organizations are making more exceptions to the rules and the policies for them, you know, a CEO or a CFO doesn’t want to have to change their password every 90 days or, you know, they want to be able to use a personal device instead of a corporate device. And so all of these things bring about risk to individuals in the organization that have access to a lot of really sensitive information. (00:22:02)
STEVE RIVERA
Yeah, you bring up an interesting point in terms of like top executives because most of the time they tend to be the ones who want to be the exceptions of the rule. And so that opens up a vulnerability that seems to be exploited. And so you have more exposure from that standpoint. I couple of weeks ago, I got a text message and this is I see this happening more and more, I got a text message from our CEO saying, Hey, this is this is Josh. And I got a new phone. Can you call? Can you text me back on this line? And I was like, it’s Saturday morning. Never reaches out to me on a Saturday morning this early. And so I texted Josh on the cell phone that I had. And I said, did you get a new phone? He goes. I go, you want to play with a threat actor? You know, it was pretty funny. I just blocked it. But it’s right. It’s true that that becomes the, you know, the attack pattern becomes more fear fishing and targeted in nature.
You’re right, because I remember when we first started with the DBIR, it was all about credit cards. It was all about social security numbers. It was all about, and that was where the breaches were happening most frequently. Now they tend to be more surgical in nature.
CHRIS NOVAK
(00:23:30) Absolutely. Yeah. I think when you look at things like AI and the ability to, you know, I mean, you saw that message and obviously it triggered you to respond as you did, which I think is great. I think a lot of people would be fooled by something like that. The other thing also is for individuals where there’s a lot of information about them out there, you know, the other thing that we’re also seeing are things like deep fakes. And so, for example, someone will get a phone call that sounds like you or me because they’ve used AI to generate a voice that sounds and speaks like you or I. And so they’ll say, Hey, this is, you know, this is Steve Rivera. I need you to do this. And someone’s going to say, okay, it sounds like Steve and this is the way Steve speaks. So, I’m going to listen to it. Right. And so there was actually an interesting, there was an interesting segment on 60 Minutes where this exact situation had played out and they’d showed a demo of someone getting a spoofed phone call. So the caller ID looked like it was coming from that person. And then they used AI to generate a conversation with that person using essentially a deep fake version of their voice, which, you know, it’s scary. And, you know, there’s a lot of organizations now too that are using voice prints for authentication. You know, there’s a lot of financials that are starting to use that as a way to try to simplify and reduce friction, but now there’s the challenge of if we can deep fake someone’s voice, then there’s the potential we can get into, you know, their bank account brokerages, things like that. So it creates a lot of interesting challenges. (00:24:59)
STEVE RIVERA
Wow. You brought up something that absolutely scared me now that we’re doing a podcast, right? And we’re recording our voices. You’re like, maybe I got to use one of those voice changers.
But then how would you recommend countering that? Is it multi-factor? Is it challenge and response? I mean, how do you propose to educate your user community with something like that? Because now it truly is zero trust, even voice, right? So that’s right. So how would you recommend that our listeners kind of tackle that? Or anything?
CHRIS NOVAK
So, I think, you know, to your point, zero trust, I think is kind of where we’re heading, you know, whether we were intending to be there or not. I think that all of this just as further evidence of the need for that, especially when you’re not necessarily in the presence of the individual to be able to verify that it’s really them, right? And I think it’s more and more challenging nowadays because of the fact we’re doing more things remote. So you know, you trust that I’m me and I’m trusting that you’re you. For all we know, this could be an AI conversation that is happening between two computers. But you’re right that I think, you know, ultimately it comes down to a combination of zero trust and a combination of multi-factor authentication and strong multi-factor authentication, I think is really the only way to really, you know, adequately be able to tackle that kind of problem.
STEVE RIVERA
Great. No, I appreciate that. So I did want to ask because you have a certain visibility into because of the partnerships that that you have forged and your experience. What are some of the threat actors that you’re starting to see that are becoming very prevalent? And you know, and maybe you can share a little bit about their methodology and the process that they use.
CHRIS NOVAK
Sure. Yeah. I would say that a lot of it comes down to financial motivation. You know, you mentioned earlier some of the things that we have historically seen targeted and since the beginning of us collecting data, right? And if you think of the DBIR now we’re about to come out with our 16th iteration of it, right? So, it’s 16 years running even longer in terms of data collection. And since the beginning of our data collection, one of the things we’ve always found is that the majority of threat actors are motivated by financial gain. Now that’s not to say that’s the only motivating factor. We do see a small percentage that is espionage. And you know, I always tell people to kind of caveat because the news typically is much more interested in espionage related cases that makes for better TV, right? But the reality of it is if you think about the kinds of crime that you might encounter in your normal everyday life, you’re probably not regularly encountering, you know, espionage types of incidents as you walk through your neighborhood, or at least I hope you don’t. Most of the crime that we all experience is financially motivated. It’s, you know, petty theft. It’s you know, breaking into someone’s car, breaking into someone’s home, breaking into a business, but even in all of those physical cases, typically the goal of the actor is what can they steal that they can sell? And, generally speaking, we see the same kind of motivation on the cyber side of things. Like it’s a combination of what can they steal and sell? And also what can they extort and get paid for? Like things like ransomware attacks. So, I think we’re going to continue to see a lot of that as we go forward. The tradecraft that they use either to get their tooling or their ransomware into the environment kind of shifts back and forth. You know, a lot of it again, coming back to social engineering, whether it’s, you know, fishing or pretexting types of attacks or other forms, but ultimately for them, it’s how do they get paid and then how do they move on to the next one? And it’s interesting because if you kind of compare and contrast the early days of breaches versus kind of more of what we see current day, in the earlier days, these events played out over much longer time horizons. You know, we’d see breaches that would run for weeks or months or even in some cases years and it’s not to say those events don’t still happen today. But when you think about it from a threat actor motivation perspective, they want to get paid and they want to get paid quickly. They’re generally not in it just to mess around and have fun. There are some of those, but most of them it’s a payday for them. It’s a job. And so the quicker they get paid, the quicker they can move on to the next one. And things like ransomware and other forms of attacks like that generally result in them getting paid much, much more quickly than your traditional data theft and sale because they need to get in, they need to get the data, they need to get it out, they need to find a deeper dark web market to sell it, they need to connect with a buyer. So all of that can take time in order for them to ultimately get from breach to monetization, whereas ransomware, you know, very much, you know, reduced the timelines and the level of effort in a lot of cases that they need to exert.
STEVE RIVERA
I want to ask your opinion about something. And again, I know it’s just your opinion and I want to caveat that, but like, you know, the proliferation of ransomware, I think, is because many people choose to pay the ransom. So if we stop that spicket, we will see that that attack vector or method will cease or at least. So do you have an opinion as to whether a company should pay the ransom or not? And then kind of as a follow up, do you see cyber insurance eventually going away in terms of paying out ransoms, because it’s like, it’s a lost leader, right? So I’m interested in your thoughts.
CHRIS NOVAK
(00:30:58 – 00:34:36) Great question. And there’s a lot of debate on this topic. So I would say that I think cyber insurance is not going to go away. I think it’s going to be here forever. I think it’s a fast-growing market. And honestly, it’s interesting. There was a study that was done a while ago as to what the number one reason was that organizations bought cyber insurance. And the top reason was pay ransoms. People were concerned of not being prepared and able to pay a ransom, pay it quick enough. And so they bought cyber insurance and a lot of cyber insurance brokers, that’s kind of how they marketed it. You know, this is the downfall or the outcome that can happen if you get hit and you don’t have an ability to pay and 48 or 72 hours, whatever the demand is, buy cyber insurance and we’ll take care of that for you. And then I think they got quickly overwhelmed with the amount of claims that rolled in. I agree with you that choking off the money supply generally is a great way to restrict any kind of threat actor, right? We see that in many different cases around the world. So, I think from my perspective, my recommendation is always avoid paying. And the way I think we get to that is being better prepared, having the right, you know, policies and procedures in place. One of the most popular things that my team gets involved with today are things like ransomware breach simulations. In fact, we’ve even done it internally for Verizon, where we actually walk through what a real event would look like, feel like, smell like, taste like, like you got to be there. You got to feel it and say, these are the events that are unfolding and this is the clock that’s on you to respond. And these are the repercussions or consequences. And you know, I think the only way you get to a point of being able to avoid paying is feeling that you are prepared enough that you’ve got the right resilience in your organization to say, we won’t pay. These are our plans. We’re going to execute them, and we will be fine. It’s typically organizations end up paying when there’s a breakdown or the plan doesn’t execute properly or something else like that happens, or maybe they don’t have any plan whatsoever at all. And so that’s typically where we see that play out.
And the other advice I always give people is because sometimes there’s a notion that, well, if I pay the ransom, it’s done. But the reality of it is in most organizations, that maybe works, right? And I say maybe because sometimes the key doesn’t always decrypt properly or the tool doesn’t always work properly or the threat actor doesn’t respond with a decryption key at all, all these things can happen. And then still at the end of the day, even if everything decrypted great and you had the best possible experience with a threat actor, you still have to go through the process of doing the root cause analysis to figure out how they got in and make sure you’ve addressed the issue. Because as you know, one of the other things I always say is that every time you pay a ransom, it also kind of puts a target on your back because others, other threat actors now know you either will or have the wherewithal to pay, or you’ve got a cyber insurance that’s going to stand in and pay for you. So, if I can get in there in the next 30 or 60 or 90 days and hit you again, maybe there’s a good chance I can get that payday as well. So, I think there’s an element of, you know, there’s a potential for repetitive incidents that can also occur there. But I don’t think cyber insurance is going away. I think ultimately what we’re going to see kind of the long answer to your short question, Steve, is I think that the requirements to get the insurance are going to get ratcheted up. The insurance companies are going to say, if you want this level of coverage, you need to prove this level of resiliency. And the premiums are also going to go up to care for the fact that the claims are starting to roll in more heavily.
STEVE RIVERA
Yeah. No, I was, I was involved in a CISO round table last week in Chicago. Oh, by the way, Dave Ostertex says hello. And I was, I was involved in this cyber insurance round table and that’s exactly what we talked about. Everyone in the room talked about the premiums going up by a factor of two, three, four times and the requirements, you know, MFA or monitoring or and these, these certain baseline requirements that they didn’t think they needed to have previously now are being required by the cyber insurance. So it’s, it becomes that balancing act of do you pay the premium, do you self-insure or do you roll out these countermeasures?
When you mentioned the breach simulations, you know, I partook in a few of those that your team used to lead. And I will tell you, they always appeared to me like dungeons and dragons, right? And your team being almost like the, the dungeon master and throwing out these scenarios and then continuing to evolve the scenarios. And the clients always found incredible value in that because they always found something that they could improve on or something that they had not considered. And so, I always found incredible value in that. So, I’m glad you mentioned that because I find that having that muscle memory increases the rate of success or the probability of success when an incident does occur. Absolutely.
So, you know, kind of in closing Chris, I’m hoping that you might be able to just two to three things that our listeners can kind of take away from, right? And talk about two or three things that they could do to prevent becoming a victim or to having an incident that might be catastrophic.
CHRIS NOVAK
Sure. Yeah. So I’d say if I had to, you know, give you a couple, one, you already mentioned the breach simulations, which I think is hugely important because, you know, I think that a lot of organizations that actually reminds me of a conversation I had, and this was a number of years back before we even offered breach simulations that, you know, as CISO had said, hey, you know, is there a way you could kind of help us orchestrate like a small breach? One that gets our executives attention on the problem gets me the budget I need, but not so massive that, you know, we all lose our jobs, right? I mean, and you know that that he was kind of not entirely serious or at least I don’t think he was. But that’s kind of, you know, where the idea of the breach simulations really was born out of was organizations were struggling because historically creating a policy is easy. You go tell an intern, hey, write us a policy that does this, follow this framework. And in a couple of weeks, you’re going to have a policy document. But the thing that we’re always pushing on organizations is you need more than, you know, a book on a shelf that says we’ve got a policy. There actually has to be something that you can exercise, and you can go through, as you said, kind of have that muscle memory. And you also need to make sure that the senior leadership, the executive leadership is on board because to your point in the Dungeons and Dragons game that kind of plays out, usually the issue we see is on paper, everyone’s in full agreement in practice when it actually comes time where someone has to make the hard decision of X or Y. That’s when all of a sudden everyone starts disagreeing with what we have in the policy, and they want to go do something else. So having that simulation really makes it real. The other thing that I always say, and this one’s kind of a back to basics kind of recommendation and that is asset inventory, probably one of the most boring recommendations I can put out there, but I’ll tell you that there’s so many breaches that my team has helped organizations investigate where it comes down to the entry point or the entry vector was an asset that the organization just wasn’t even aware of wasn’t tracking on. And if you’re not aware of the assets that you have, and I know this sounds trivial and maybe everyone will say, oh, I’ve got that covered. I challenge you to go back and check it because inevitably that’s usually what we find is it’s an asset that’s not being tracked and therefore there’s no vulnerability scanning. There’s no patch management that’s happening. And so, as a result, it becomes this wide-open target for exploitation that threat actors are just going to zoom right in on, take advantage of and then move within the organization.
And then that kind of dovetails to another one that I’d say is also very critically important and that is kind of a combination of vulnerability and patch management and things like pen testing and red teaming really kind of putting the screws to that team and see how well are you performing on all of those metrics? How well are you able to keep up on your patch rotations?
It’s interesting when we look at things like log4j, that was a big newsmaker in terms of kind of the vulnerability and kind of cyber supply chain landscape. And one of the things that we found out of that was the majority of the exploit attempts that were going after that kind of vulnerability. In terms of scanning and looking for potential targets and trying to exploit a log4j vulnerability, the majority of that attack targeting happened in the first 30 days after it was essentially announced. So having a robust plan that you can execute is very much a critically important item.
STEVE RIVERA
No, I appreciate that. I wanted to comment on two of the things you said. First was the accent inventory, right? I thought, you know, folks that I meet with, it’s not a one-time event, right? It’s a continual because networks evolve. Absolutely. They change, assets come, and assets go and user access as well, right? It’s who has access to what systems when.
You mentioned the incident response plan or having that book on the shelf. I recently had an occasion where a customer had an incident and called us and we were ready to jump in and we asked, okay, your system’s got encrypted. Where’s your incident response book? And it was just crickets – silence. It’s on the laptop. It’s on the desktop that is not encrypted. Sure. I’ve seen that before as well, or I’ve seen like the backup environment is connected to the production environment and ransomware runs through all of it at once. Yeah, that’s bad news. So, it’s, you know, for our listeners, right? It’s print out the book, have one in the office, have one at home, you know, so, so you don’t, I mean, these basic things oftentimes get overlooked in the event of an emergency. These are the things that become massive issues when you don’t have readily handy.
Well, Chris, I really – I can’t thank you enough for your insights and your time and such a provocative conversation for our listeners.
That’s all for this episode. Make sure you take time to listen to our next episode of Logically Speaking and stay cyber-first and future-ready.